The US Government Accounting Office has published a report on the
vulnerability of FAA equipment and avionics to cyberattack
http://www.gao.gov/products/GAO-15-370 . It makes three main points.
The third one is organisational; I am concerned here with the first two.

First, the FAA has not developed and apparently doesn't intend to develop a
threat model for its ground-based systems. Unsurprisingly, the GAO thinks
it might be a good idea to do so.

Many FAA ground-based systems are decades old and were installed in an era
which didn't need to worry as much about cybersecurity. Many of them are
dedicated systems, so some physical access would be required. But some are
not. Does anyone remember the NY ATC outage a quarter century ago?
http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial
4ESS switch took out ATC. I seem to remember (or was it another incident?)
ATCOs coordinating by using their private mobile phones. A DoS attack on
ATC communications nowadays could take out a commercial switch but would
have to take out the cellular phone comms also. So there's the first entry
for the threat model.

Second, the GAO queries the wisdom of critical avionics and passenger
in-flight entertainment systems (IFE) sharing network resources. So did
many of us when it was first mooted (for the Boeing 787, I seem to recall).
Because, after all, the best start on assuring non-interference is physical
separation of networks and good shielding. And indeed someone recently
claimed on Fox News to be able to hack avionics through the IFE
http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/
He was apparently subsequently pulled from a flight out of Denver by the
FBI, interviewed for a number of hours and relieved of some kit.

People may think: "shooting the messenger". But hang on. Roberts told Fox
News (I quote from Fox) "We can still take planes out of the sky thanks to
the flaws in the in-flight entertainment systems...."

Here is a guy who claims publicly to be able to "take planes out of the
sky" getting on an airplane with computer equipment. It is surely the task
of security services to ensure he is not a threat in any way. If you were a
passenger on that airplane, wouldn't you like at least to know he is not
suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a
nice book to read and sent his kit ahead, separately, by courier?